New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ambient: fix auto-allow waypoint #50710
Conversation
Probably we need to increase our test coverage here
47740eb
to
3df654d
Compare
2807dc2
to
5151551
Compare
5151551
to
8c3042c
Compare
@@ -124,7 +126,7 @@ func implicitWaypointPolicy(ctx krt.HandlerContext, waypoint Waypoint) *model.Wo | |||
{ | |||
Principals: slices.Map(waypoint.ServiceAccounts, func(sa string) *security.StringMatch { | |||
return &security.StringMatch{MatchType: &security.StringMatch_Exact{ | |||
Exact: spiffe.MustGenSpiffeURI(waypoint.Namespace, sa), | |||
Exact: strings.TrimPrefix(spiffe.MustGenSpiffeURI(waypoint.Namespace, sa), spiffe.URIPrefix), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do the SANs not have a spiffe://
prefix? Do SPIRE generated SANs have a spiffe prefix?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, can't we just use StringMatch_Prefix
directly here, rather than trimming the prefix?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Istio matches all assumes spiffe:// prefix. This includes prefix matches.
// A prefix match for "*foo" means "spiffe://*foo".
// So we strip it, and fail if it isn't present.
let Some(check) = check.strip_prefix("spiffe://") else {
return false;
};
This is what zTunnel does
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Istio matches all assumes spiffe:// prefix. This includes prefix matches.
why do we assume that, I wonder. It's not simpler than just matching on spiffe://ns/sa
prefixes consistently everywhere, since, as @keithmattix pointed out, the spiffe://
prefix is non-optional.
Oh well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Property of the AuthorizationPolicy API fwiw, not a recent decision in ztunnel
In response to a cherrypick label: new pull request created: #50752 |
Taking over #50617